dcrat | cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30.exe
Size

1.3MB
MD5

736a9dd5ac086df2ce7bdfe71c5afc9e
SHA1

e347a1e5d63d61c1b9d49425ef6418873a9b62f0
SHA256

cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30
SHA512

63ddc9a4fd867b99d35df5fbfcf5d488cb96345eddd068a26d8a4a11bd83432c759fd72e3c0f5abb42605f793778935557f63f60595cf95af024931487ae04bd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2632	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2632	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019217-9.dat	dcrat
behavioral1/memory/2788-13-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/1812-93-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/1032-248-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/2008-309-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/3000-369-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/1692-429-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2852-489-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/2004-608-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/3004-668-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2440-728-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2396	powershell.exe
2144	powershell.exe
3064	powershell.exe
2400	powershell.exe
2196	powershell.exe
320	powershell.exe
2408	powershell.exe
760	powershell.exe
2204	powershell.exe
680	powershell.exe
1912	powershell.exe
2212	powershell.exe
2524	powershell.exe
2596	powershell.exe
1356	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2788	DllCommonsvc.exe
1808	DllCommonsvc.exe
1812	System.exe
2728	System.exe
1032	System.exe
2008	System.exe
3000	System.exe
1692	System.exe
2852	System.exe
288	System.exe
2004	System.exe
3004	System.exe
2440	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	cmd.exe
2688	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\DVD Maker\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IME\IMETC10\DICTS\System.exe	DllCommonsvc.exe
File created	C:\Windows\IME\IMETC10\DICTS\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2368	schtasks.exe
1612	schtasks.exe
2912	schtasks.exe
2596	schtasks.exe
2556	schtasks.exe
1980	schtasks.exe
2728	schtasks.exe
2828	schtasks.exe
2816	schtasks.exe
2664	schtasks.exe
1680	schtasks.exe
1608	schtasks.exe
2516	schtasks.exe
2584	schtasks.exe
2664	schtasks.exe
2972	schtasks.exe
2940	schtasks.exe
2456	schtasks.exe
2588	schtasks.exe
768	schtasks.exe
2312	schtasks.exe
1604	schtasks.exe
2920	schtasks.exe
2812	schtasks.exe
1012	schtasks.exe
2716	schtasks.exe
1476	schtasks.exe
492	schtasks.exe
1696	schtasks.exe
2028	schtasks.exe
2500	schtasks.exe
2000	schtasks.exe
2008	schtasks.exe
2732	schtasks.exe
2360	schtasks.exe
2736	schtasks.exe
1676	schtasks.exe
2748	schtasks.exe
1424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2788	DllCommonsvc.exe
2396	powershell.exe
2196	powershell.exe
320	powershell.exe
2212	powershell.exe
2400	powershell.exe
3064	powershell.exe
2144	powershell.exe
1808	DllCommonsvc.exe
1808	DllCommonsvc.exe
1808	DllCommonsvc.exe
2408	powershell.exe
1912	powershell.exe
680	powershell.exe
2524	powershell.exe
1356	powershell.exe
2596	powershell.exe
760	powershell.exe
1812	System.exe
2204	powershell.exe
2728	System.exe
1032	System.exe
2008	System.exe
3000	System.exe
1692	System.exe
2852	System.exe
288	System.exe
2004	System.exe
3004	System.exe
2440	System.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	DllCommonsvc.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1808	DllCommonsvc.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1812	System.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2728	System.exe
Token: SeDebugPrivilege	1032	System.exe
Token: SeDebugPrivilege	2008	System.exe
Token: SeDebugPrivilege	3000	System.exe
Token: SeDebugPrivilege	1692	System.exe
Token: SeDebugPrivilege	2852	System.exe
Token: SeDebugPrivilege	288	System.exe
Token: SeDebugPrivilege	2004	System.exe
Token: SeDebugPrivilege	3004	System.exe
Token: SeDebugPrivilege	2440	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2828	1916	cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30.exe	31
PID 1916 wrote to memory of 2828	1916	cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30.exe	31
PID 1916 wrote to memory of 2828	1916	cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30.exe	31
PID 1916 wrote to memory of 2828	1916	cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30.exe	31
PID 2828 wrote to memory of 2688	2828	WScript.exe	32
PID 2828 wrote to memory of 2688	2828	WScript.exe	32
PID 2828 wrote to memory of 2688	2828	WScript.exe	32
PID 2828 wrote to memory of 2688	2828	WScript.exe	32
PID 2688 wrote to memory of 2788	2688	cmd.exe	34
PID 2688 wrote to memory of 2788	2688	cmd.exe	34
PID 2688 wrote to memory of 2788	2688	cmd.exe	34
PID 2688 wrote to memory of 2788	2688	cmd.exe	34
PID 2788 wrote to memory of 320	2788	DllCommonsvc.exe	54
PID 2788 wrote to memory of 320	2788	DllCommonsvc.exe	54
PID 2788 wrote to memory of 320	2788	DllCommonsvc.exe	54
PID 2788 wrote to memory of 2196	2788	DllCommonsvc.exe	55
PID 2788 wrote to memory of 2196	2788	DllCommonsvc.exe	55
PID 2788 wrote to memory of 2196	2788	DllCommonsvc.exe	55
PID 2788 wrote to memory of 2400	2788	DllCommonsvc.exe	56
PID 2788 wrote to memory of 2400	2788	DllCommonsvc.exe	56
PID 2788 wrote to memory of 2400	2788	DllCommonsvc.exe	56
PID 2788 wrote to memory of 2212	2788	DllCommonsvc.exe	59
PID 2788 wrote to memory of 2212	2788	DllCommonsvc.exe	59
PID 2788 wrote to memory of 2212	2788	DllCommonsvc.exe	59
PID 2788 wrote to memory of 3064	2788	DllCommonsvc.exe	60
PID 2788 wrote to memory of 3064	2788	DllCommonsvc.exe	60
PID 2788 wrote to memory of 3064	2788	DllCommonsvc.exe	60
PID 2788 wrote to memory of 2144	2788	DllCommonsvc.exe	61
PID 2788 wrote to memory of 2144	2788	DllCommonsvc.exe	61
PID 2788 wrote to memory of 2144	2788	DllCommonsvc.exe	61
PID 2788 wrote to memory of 2396	2788	DllCommonsvc.exe	62
PID 2788 wrote to memory of 2396	2788	DllCommonsvc.exe	62
PID 2788 wrote to memory of 2396	2788	DllCommonsvc.exe	62
PID 2788 wrote to memory of 1808	2788	DllCommonsvc.exe	68
PID 2788 wrote to memory of 1808	2788	DllCommonsvc.exe	68
PID 2788 wrote to memory of 1808	2788	DllCommonsvc.exe	68
PID 1808 wrote to memory of 680	1808	DllCommonsvc.exe	90
PID 1808 wrote to memory of 680	1808	DllCommonsvc.exe	90
PID 1808 wrote to memory of 680	1808	DllCommonsvc.exe	90
PID 1808 wrote to memory of 1356	1808	DllCommonsvc.exe	91
PID 1808 wrote to memory of 1356	1808	DllCommonsvc.exe	91
PID 1808 wrote to memory of 1356	1808	DllCommonsvc.exe	91
PID 1808 wrote to memory of 2596	1808	DllCommonsvc.exe	93
PID 1808 wrote to memory of 2596	1808	DllCommonsvc.exe	93
PID 1808 wrote to memory of 2596	1808	DllCommonsvc.exe	93
PID 1808 wrote to memory of 2408	1808	DllCommonsvc.exe	94
PID 1808 wrote to memory of 2408	1808	DllCommonsvc.exe	94
PID 1808 wrote to memory of 2408	1808	DllCommonsvc.exe	94
PID 1808 wrote to memory of 2204	1808	DllCommonsvc.exe	95
PID 1808 wrote to memory of 2204	1808	DllCommonsvc.exe	95
PID 1808 wrote to memory of 2204	1808	DllCommonsvc.exe	95
PID 1808 wrote to memory of 2524	1808	DllCommonsvc.exe	96
PID 1808 wrote to memory of 2524	1808	DllCommonsvc.exe	96
PID 1808 wrote to memory of 2524	1808	DllCommonsvc.exe	96
PID 1808 wrote to memory of 760	1808	DllCommonsvc.exe	98
PID 1808 wrote to memory of 760	1808	DllCommonsvc.exe	98
PID 1808 wrote to memory of 760	1808	DllCommonsvc.exe	98
PID 1808 wrote to memory of 1912	1808	DllCommonsvc.exe	100
PID 1808 wrote to memory of 1912	1808	DllCommonsvc.exe	100
PID 1808 wrote to memory of 1912	1808	DllCommonsvc.exe	100
PID 1808 wrote to memory of 1812	1808	DllCommonsvc.exe	106
PID 1808 wrote to memory of 1812	1808	DllCommonsvc.exe	106
PID 1808 wrote to memory of 1812	1808	DllCommonsvc.exe	106
PID 1812 wrote to memory of 2624	1812	System.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30.exe
"C:\Users\Admin\AppData\Local\Temp\cc421383e06b6fc90b0ec1a85268c2b832bff792f2fdddb871e69287fe9dfa30.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMETC10\DICTS\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
      - C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
        7⤵
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2644
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        9⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2456
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
        11⤵
        
        PID:1416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2596
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        13⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3064
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        15⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1724
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        17⤵
        
        PID:1032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1648
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        19⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:760
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        21⤵
        
        PID:2368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2912
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
        23⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1484
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
        25⤵
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2860
        
        C:\Windows\IME\IMETC10\DICTS\System.exe
        
        "C:\Windows\IME\IMETC10\DICTS\System.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Recent\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Recent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\IMETC10\DICTS\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\IME\IMETC10\DICTS\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\IMETC10\DICTS\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ddaf8f53da5485b339f96b903de14b9

SHA1
109a920ff9a6078d67cba932598262a19976f07f

SHA256
305671b0a3a56f3b1c5736d9cfa133fd62f56552f6260de898dc781aaaed98f6

SHA512
9027120507b4657ea9daa9c195a712162da8f3b99179f88e0f7b77352c4f7adcd52416ea855aaa082f751c41dd32c83d78bc9994071abd6826b2550b316ac4b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d41c8425f66f845f54ce997995e882f6

SHA1
e1ad3712fc4bd2c4963fd8175c1e896be7a37a7a

SHA256
232696c186fe9c45482457cebc4e24cebe742f47e4314cafb03b4312a2fc0923

SHA512
45c521de95daa0154d219905dad03308035b5f75239477615b013ba8e41c99365a9a5ad900ec863dd5eccdbe9fa7298f84cde6fd12dd6cc480b40adc3f018cdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5f10c4b8fdd8be1fe5c4454777b47a4

SHA1
2fc6993382b12567af8dc5c082de9864424227a7

SHA256
dd119e339273d685c50608e481f1c24ef64206e013d86aba90208b8e44df905f

SHA512
a2e0c02307e18570dceb0b2e1fcb46ee516442c40e77a81a1c892199010cccc24995b2175bd9c478f5e8154dce30a56aa3294908e262b329ff742f0b83fb2a50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ed135d9de93f32031f8887b801f0940

SHA1
8a56b460d7d5e8ca85fe9f0b06b323b0432f6e42

SHA256
2c2f067229ac9938c54af944a77f86fd3818e4d185774d2b6accf2d44a2582c1

SHA512
23a360c8d261c7d211671f8108dce72bdf3bb03c018f32d51142e38882be9d2079fc4ab7c726289fecf6534b3a4de18db0cfb0eb53f0fc5acb9271bbf1bad31b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e766a36fb405419877f1029b1b63f7a1

SHA1
cf5f52a5493d64e658b2cceb1c5c0a6186aac94c

SHA256
766b5d3dbefef04472f7d2d65af685829a712edd23da7677cca7702e5a606f30

SHA512
4e2497c723b5fa54015947747996965dc481d0a8090aeac28d8fb87f9e4c29f7f3afd95e2e54a1bffb9d4700e2bbe2ecb93ee1ddc3096fb7fc0fdf91fce75daa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f947ee22a54f5f72729c197e3b4abe8c

SHA1
4990f94fb771f19cd049e0af07805655d95b87ac

SHA256
eccbce6e5c1ab9f170899180c69c9ffd59cd71c766ce5528c359495552827ea0

SHA512
31e94c1b71c2f0c47a13aed8d5fccc0fdf799fbaa6b08de509e81c21ad2c2d425a5be742a9adaba1be5b4fcbf7d1fffbfab420de3416d5433584c077f849d2a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b7d23cf6403bb524eefe6d2d4ae7a5e

SHA1
acb407b104e1ac1f2314b2f67725d0aa192801de

SHA256
3f76a034c7895b1ef2eec8164f7c327afd4713e7b4e8c982629ebcf421cb0138

SHA512
03fc46b3c3ed6489d834e6751f4e6e4b059a0e67d6e22865402b818bc8cbfa6a44259900aab5708a4f8b33f3ee1f0ec9a769e6612844d5797d51ac3872b0608b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84e788eb748041a05809eeaed7cdbeaa

SHA1
7f2564d25fe28f43ebca3da6671ef96a4513ba57

SHA256
adfbfaae5636c056585dd75a6a5e138625afb5088bf2a8e6e7ef948f825fd1a2

SHA512
04dfb79efa4cbcca9fbfeb5ddb91d3a89fe02dea60b0e5f3037a7da7ecc5e4a76592f73d82be6fd6ec11f465f2f095bba706c11bd01c837db043f4922c37532d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2626ad2f95a01c9e4e68ea92499508a3

SHA1
16ee2c7db2f1c8b068c624568cab1e4c054f5332

SHA256
e44ebbe448b44a72a3de39d3509e5fc243b8a55ce27decc4998b3fec01b5e1c8

SHA512
e23bec84fbc3a690a7c8b0694ad664d5e25e549cbb754627cb02aab83e60cb66b913668715cec73bed7db982938f0d33a24188c77b9776bb742558c9757c93a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

Filesize
204B

MD5
8c839111e2c1f524e4ba0b081b6d5b6f

SHA1
1a5b79191c2b3ff0a8488f32e01071565ca26299

SHA256
1b837d1e1aa3d267f705f2235b7a2572d51128fb95e788c74f1f3fbf6353967b

SHA512
b2f62e38cd2b70ad15812de4af158b33475e1c7054d29ca8cfb3bf641c751c721706ec03bb6697381bb3ad67fca16dc8aca1f5de2c72687c151240b7d6c7a65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
204B

MD5
00fa07d70a54a18a51fe120d448c5190

SHA1
bd28051ac79bb293bfa2bdc7a64df8f7524ef824

SHA256
3801c264d68b217a6df531c31f46c414cf3131fd83c34e2ff710946b2d13f177

SHA512
4122eb38fd7c551e19d67decb7af707a07244f4edd927343fd92acf03310a13c46295577d99adb3fd9ce125a8bf800fc7d0dcf4fb4d4892813d7d4b63c035115

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
204B

MD5
1e5ef3dd4e906eb7c6f9d5c31024df92

SHA1
565f61121c005af1af4c28ca444865b9ab5f91dd

SHA256
b75fc2278a20554c83187fb40131ca42771528d48b8eb4c808385ddbd868c40e

SHA512
3d2f9cb470388ca6b7000a46d9063e7fb694e134a439f4740bba150dc486c53692d4d857328af4d0a26e124c0622963e990032cab4c75f92549078653d06442c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F2D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat

Filesize
204B

MD5
469bc008e5fb9a5f2d1f25878e7ee60a

SHA1
0ebde8b10981d60dc827761d73ff2c8576831ea5

SHA256
a5f164f72997864469e75a18e2ccd8607946066e62c32137757e2be7fba2c392

SHA512
5f1db410bf754e358bfa5c42d818c72bc5b7dd049b27686ae527b23325f0196e3130b795b6a1d6bac7e78f49f11d373051ed5499c768de251c159789c62e8148

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
204B

MD5
15c7609d34139e64489ddb05a6de1746

SHA1
5e7a4a494b56a5e40ab650872aeba4ac328c8448

SHA256
aa2c39c1ef338e458e251b68614267dc21c58adcc9b08a31d27fa7cce716637c

SHA512
bc5571e8df542e8143e74192662c5219c37fbae94724fc3597b6c86293470423a1195db662e013eaf17581943f24a12327a28501672e423c72ad64269345496b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
204B

MD5
d718b3233d013f888f313b825533ba93

SHA1
80d561b8c7b5eb0bea33c3de6213715a88b30ce1

SHA256
22ea5c0efc95691f8048b618f8260d6885920d8115a33bbe09a9126279e7385a

SHA512
1db54ee4ba7d468a81ee24e0cc224e152a5bf7d2a657b509989c67258d5132d57f73bbaf1bc6402580cc89a9b9702a7f29fd9f00aeb4b5ed154707afb6d5fb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F4F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

Filesize
204B

MD5
948fa4277d1244a8f7d45faf0ec7ea9d

SHA1
cc964a8acf1ba66167f0af29f12c544886f8683a

SHA256
83fc4c0bc26e745042950bdc33e5f0a2504fbd4d127d58eaeae6d5767f17e407

SHA512
ec799597ac51a2d61346588641b9af1adda474a17228cc05aa83eec0ddf40ebaf244367a653905368b4b1121a5a547313770d941de6955661c5017f8766e685d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
204B

MD5
1ee5c3027423f859c293e61c0136fdb0

SHA1
6763e248d0ad596dd5ca20e83164976b500617a9

SHA256
3157abf7e0b1547ae337f843987a3cb82cdd815060de7b66cddb445c5b974537

SHA512
8c52a3510529a7e76d2474e4f00f40e161e436d46c81c0cda84134c9c0936c125bd09112eeab654c343e7165976b93492973f1b976b70068cefc7cf745cb783a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
204B

MD5
19b52b8d8abc69aa89d114aea50ccfa2

SHA1
8f32dd7e857f3e7664186587953e268b9079329f

SHA256
e43208ff57101699cdad5a47bbf0be265e0afa8e1d3e495fb15f87abbf8cb233

SHA512
dcb1741b54424b1e6290755696fce54dc8d822dffe8f088631ee508ef9120e3a86145434ae396dc85014c3e74d7bbd49d4ca56bbc836ae5185c7b4e1120d8c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

Filesize
204B

MD5
13ced7a5f9c57d47320f27187767e7e6

SHA1
84b3f27f98548547399dd425e9433c14bf6c55b2

SHA256
6f6b5d40e9811360189a008dd784ad9a251ee1d37a4a06e6baff4af99696d308

SHA512
feaf6a8f80b3207d24d9805b200f1511677bd092c9b692dd55ae332f26cf9406e5c7311facb8754eab7966660e9ce403b29b7883afce98919f436c163483cfca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e2d9763f5c308d66946c19bc693837aa

SHA1
0a838aa3086d6dc9602aad465e6a5bf6cb11addb

SHA256
68a70f2c462a6e14896ecf32af99570e269b64b0d8029f0798528d33ebf01575

SHA512
348ca1d58fbc104b59ae58bf5b0bf3705a22bbee49b154a6b39851d5012b974081c3454ebe59b4af7f8eb9b7252f4c173759ef7de4f7d569000c89e863cc8540

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1032-248-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/1032-249-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1692-429-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1808-67-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1812-93-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/2004-608-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2008-309-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2396-47-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2396-41-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2408-96-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2408-94-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2440-728-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2788-17-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2788-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2788-15-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2788-13-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/2852-489-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/3000-369-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/3004-668-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download